Magellan 2.0: Google addressed a new set of vulnerabilities

Google has patched five bugs in SQLite, called Magellan 2.0, that an intruder might abuse to execute malicious code within the Chrome browser remotely.
Engineers from the Tencent Blade Security Team found the bugs.

The issue is related to a feature called the WebSQL API that exposes users of Chrome to remote attacks, it is disabled by design. The JavaScript code is converted into SQL commands by the WebSQL API, which are then performed against the SQLite database.

Exactly a year ago, a critical vulnerability in SQLite database software was revealed by the same team of experts that exposed billions of vulnerable hacker apps.

SQLite is a widely adopted system for the management of relational databases in a C programming library. SQLite is not a client-server database engine, unlike many other database management frameworks. It’s rooted in the end system instead.

When the SQLite database engine reads their SQLite process, an intruder can use specially crafted SQL operations containing malicious code to execute commands on behalf of the attacker.

“Magellan 2.0 is some vulnerabilities that exist in SQLite (Former was: Magellan 1.0 ). These vulnerabilities were found by Tencent Blade Team and verified to be able to exploit remote code execution in Chromium render process.” reads the advisory published by the experts. “As a well-known database, SQLite is widely used in all modern mainstream operating systems and softwares, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed these vulnerabilities.”

The flaws, tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753, could cause execution of remote code or allow system memory to leak or crash.

With the announcement of Google Chrome 79.0.3945.79, Google fixed the five bugs in Magellan 2.0.

The good news is that Tencent was unaware of any Magellan 2.0 public exploit code or threats in the wild that abuse the bugs. The researchers did not release information about them at the time of announcement of the vulnerabilities.

Moseley (Raam) is an India-based cybersecurity journalist with a passion for covering the latest happenings in the cybersecurity and tech world. In addition to being the co-founder of this website, Moseley is also into security gateway, consulting, reading, and investigative journalism.